From nobody Mon May 20 15:26:54 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=yandex-team.ru ARC-Seal: i=1; a=rsa-sha256; t=1696514729; cv=none; d=zohomail.com; s=zohoarc; b=QD1j8usZY2AXEk1q6KdPPIJrlZxjJAvOa0XHSja0tuLWfC4Y0+iw1AxGCDl0XBOHb3VH/R9HpXS6rl7aDIl7Nria40cWk7rv/JUVjbQ/2knfqUTuV4GkWhBa6Csbfa4VCRo1XHK5W5pIzQkk2Rze/cauxADNBixu1N/2EnvNYYA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1696514729; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=+ijQGzf9+1Vmu+joIt+FN5yLOHI/eKxM5/GLqNhvo3k=; b=ktbfokHfopk8A/Dv84jd8EDN7Ci6DKTntgFwxS+kT8V4bD9YOpjvjZMxOd0e/idN8d+372C0e4QUXYR0UMCGD1NIuBmNDgPk8nXvB2/QHijEgZkjnMEA7/lD5bKuiklcCoYlyHkVnRL8lR82FS2Gyf6BNCSTFieOP5hSiPZQTOw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1696514729553721.9150797173932; Thu, 5 Oct 2023 07:05:29 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qoOxa-0001Ui-AQ; Thu, 05 Oct 2023 10:04:16 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qoOx9-0001LI-DR for qemu-devel@nongnu.org; Thu, 05 Oct 2023 10:03:57 -0400 Received: from forwardcorp1c.mail.yandex.net ([178.154.239.200]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qoOx6-0003aR-Hz for qemu-devel@nongnu.org; Thu, 05 Oct 2023 10:03:46 -0400 Received: from mail-nwsmtp-smtp-corp-main-44.iva.yp-c.yandex.net (mail-nwsmtp-smtp-corp-main-44.iva.yp-c.yandex.net [IPv6:2a02:6b8:c0c:b9a4:0:640:eb37:0]) by forwardcorp1c.mail.yandex.net (Yandex) with ESMTP id 3628A5E9FD; Thu, 5 Oct 2023 17:03:36 +0300 (MSK) Received: from vsementsov-lin.. (unknown [2a02:6b8:b081:b584::1:2f]) by mail-nwsmtp-smtp-corp-main-44.iva.yp-c.yandex.net (smtpcorp/Yandex) with ESMTPSA id S3ZG5c4OcuQ0-u9kSpZIR; Thu, 05 Oct 2023 17:03:35 +0300 Precedence: bulk X-Yandex-Fwd: 1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex-team.ru; s=default; t=1696514615; bh=+ijQGzf9+1Vmu+joIt+FN5yLOHI/eKxM5/GLqNhvo3k=; h=Message-Id:Date:Cc:Subject:To:From; b=AzpQvaO+uYITsj33Jw5q4m0PtUyhufPZwonY9xS1CAzSI6I7K0UUoxKCwY9bc4X3p ySf4f3/lp2sv+PrAmLeVY+c4nQVKGUAw2rC94iapJMjA5ulEzIm9age+G1LT//68+w 2bgjQGRfnUyWcsGiV0xsYi2mH2VPsIoW+FpzoBuo= Authentication-Results: mail-nwsmtp-smtp-corp-main-44.iva.yp-c.yandex.net; dkim=pass header.i=@yandex-team.ru From: Vladimir Sementsov-Ogievskiy To: qemu-devel@nongnu.org Cc: philmd@linaro.org, david@redhat.com, peterx@redhat.com, pbonzini@redhat.com, peter.maydell@linaro.org, vsementsov@yandex-team.ru, yc-core@yandex-team.ru Subject: [PATCH v2] coverity: physmem: use simple assertions instead of modelling Date: Thu, 5 Oct 2023 17:03:26 +0300 Message-Id: <20231005140326.332830-1-vsementsov@yandex-team.ru> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=178.154.239.200; envelope-from=vsementsov@yandex-team.ru; helo=forwardcorp1c.mail.yandex.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @yandex-team.ru) X-ZM-MESSAGEID: 1696514731383100003 Content-Type: text/plain; charset="utf-8" Unfortunately Coverity doesn't follow the logic aroung "len" and "l" variables in stacks finishing with flatview_{read,write}_continue() and generate a lot of OVERRUN false-positives. When small buffer (2 or 4 bytes) is passed to mem read/write path, Coverity assumes the worst case of sz=3D8 in stn_he_p()/ldn_he_p() (defined in include/qemu/bswap.h), and reports buffer overrun. To silence these false-positives we have model functions, which hide real logic from Coverity. However, it turned out that these new two assertions are enough to quiet Coverity. Assertions are better than hiding the logic, so let's drop the modelling and move to assertions for memory r/w call stacks. After patch, the sequence cov-make-library --output-file /tmp/master.xmldb \ scripts/coverity-scan/model.c cov-build --dir ~/covtmp/master make -j9 cov-analyze --user-model-file /tmp/master.xmldb \ --dir ~/covtmp/master --all --strip-path "$(pwd) cov-format-errors --dir ~/covtmp/master \ --html-output ~/covtmp/master_html_report Generate for me the same big set of CIDs excepept for 6 disappeared (so it becomes even better). Signed-off-by: Vladimir Sementsov-Ogievskiy Acked-by: David Hildenbrand --- v2: add a-b by Devid scripts/coverity-scan/model.c | 88 ----------------------------------- softmmu/physmem.c | 18 +++++++ 2 files changed, 18 insertions(+), 88 deletions(-) diff --git a/scripts/coverity-scan/model.c b/scripts/coverity-scan/model.c index 686d1a3008..a064d84084 100644 --- a/scripts/coverity-scan/model.c +++ b/scripts/coverity-scan/model.c @@ -42,94 +42,6 @@ typedef _Bool bool; =20 typedef struct va_list_str *va_list; =20 -/* exec.c */ - -typedef struct AddressSpace AddressSpace; -typedef struct MemoryRegionCache MemoryRegionCache; -typedef uint64_t hwaddr; -typedef uint32_t MemTxResult; -typedef struct MemTxAttrs {} MemTxAttrs; - -static void __bufwrite(uint8_t *buf, ssize_t len) -{ - int first, last; - __coverity_negative_sink__(len); - if (len =3D=3D 0) return; - buf[0] =3D first; - buf[len-1] =3D last; - __coverity_writeall__(buf); -} - -static void __bufread(uint8_t *buf, ssize_t len) -{ - __coverity_negative_sink__(len); - if (len =3D=3D 0) return; - int first =3D buf[0]; - int last =3D buf[len-1]; -} - -MemTxResult address_space_read_cached(MemoryRegionCache *cache, hwaddr add= r, - MemTxAttrs attrs, - void *buf, int len) -{ - MemTxResult result; - // TODO: investigate impact of treating reads as producing - // tainted data, with __coverity_tainted_data_argument__(buf). - __bufwrite(buf, len); - return result; -} - -MemTxResult address_space_write_cached(MemoryRegionCache *cache, hwaddr ad= dr, - MemTxAttrs attrs, - const void *buf, int len) -{ - MemTxResult result; - __bufread(buf, len); - return result; -} - -MemTxResult address_space_rw_cached(MemoryRegionCache *cache, hwaddr addr, - MemTxAttrs attrs, - void *buf, int len, bool is_write) -{ - if (is_write) { - return address_space_write_cached(cache, addr, attrs, buf, len); - } else { - return address_space_read_cached(cache, addr, attrs, buf, len); - } -} - -MemTxResult address_space_read(AddressSpace *as, hwaddr addr, - MemTxAttrs attrs, - void *buf, int len) -{ - MemTxResult result; - // TODO: investigate impact of treating reads as producing - // tainted data, with __coverity_tainted_data_argument__(buf). - __bufwrite(buf, len); - return result; -} - -MemTxResult address_space_write(AddressSpace *as, hwaddr addr, - MemTxAttrs attrs, - const void *buf, int len) -{ - MemTxResult result; - __bufread(buf, len); - return result; -} - -MemTxResult address_space_rw(AddressSpace *as, hwaddr addr, - MemTxAttrs attrs, - void *buf, int len, bool is_write) -{ - if (is_write) { - return address_space_write(as, addr, attrs, buf, len); - } else { - return address_space_read(as, addr, attrs, buf, len); - } -} - /* Tainting */ =20 typedef struct {} name2keysym_t; diff --git a/softmmu/physmem.c b/softmmu/physmem.c index 309653c722..03e2f9bee6 100644 --- a/softmmu/physmem.c +++ b/softmmu/physmem.c @@ -2714,6 +2714,15 @@ static MemTxResult flatview_write_continue(FlatView = *fv, hwaddr addr, l =3D memory_access_size(mr, l, addr1); /* XXX: could force current_cpu to NULL to avoid potential bugs */ + + /* + * Assure Coverity (and ourselves) that we are not going to OV= ERRUN + * the buffer by following ldn_he_p(). + */ + assert((l =3D=3D 1 && len >=3D 1) || + (l =3D=3D 2 && len >=3D 2) || + (l =3D=3D 4 && len >=3D 4) || + (l =3D=3D 8 && len >=3D 8)); val =3D ldn_he_p(buf, l); result |=3D memory_region_dispatch_write(mr, addr1, val, size_memop(l), attrs); @@ -2784,6 +2793,15 @@ MemTxResult flatview_read_continue(FlatView *fv, hwa= ddr addr, l =3D memory_access_size(mr, l, addr1); result |=3D memory_region_dispatch_read(mr, addr1, &val, size_memop(l), attrs); + + /* + * Assure Coverity (and ourselves) that we are not going to OV= ERRUN + * the buffer by following stn_he_p(). + */ + assert((l =3D=3D 1 && len >=3D 1) || + (l =3D=3D 2 && len >=3D 2) || + (l =3D=3D 4 && len >=3D 4) || + (l =3D=3D 8 && len >=3D 8)); stn_he_p(buf, l, val); } else { /* RAM case */ --=20 2.34.1